Estimated reading time: 8 minutes
Kroll surveys 1,000 decision-makers across 10 countries. The findings reveal a persistent gap between confidence and capability, as well as a direct link between cyber maturity and AI incident exposure.
Kroll has released its 2026 State of Cyber Resiliency report. The firm surveyed 1,000 cybersecurity decision-makers across 10 countries. Respondents represent companies with annual revenues from $50 million to more than $5 billion. The results are uncomfortable reading. Organizations are spending more, acknowledging more, and preparing less effectively than they believe they are.
The central finding is not about any single threat. It is about the gap between strategic intent and operational reality. Cyber maturity determines whether AI adoption becomes an advantage or a liability. The data makes that relationship precise and measurable.
The Strategy Gap That Won’t Close
Ninety-four percent of respondents view cybersecurity as a core or top business risk. Nearly half name it their leading concern. CEOs now make the final call on cyber budgets in 48% of surveyed organizations. Leadership owns the risk. The decisions, however, frequently do not reflect it. Seventy-two percent of respondents say cybersecurity priorities and business priorities frequently diverge. Fifty-one percent cite differing risk tolerance between security teams and executives as the main cause. Forty-three percent point to limited cyber literacy at the executive level.
The financial stakes make this gap harder to excuse. The average financial impact of a cyber incident across the surveyed organizations exceeds $20.9 million. Yearly recovery costs and downtime alone average $2.2 million. These are not theoretical numbers. UnitedHealth Group reported $799 million in final cyberattack costs in its 2025 earnings materials. The Marks & Spencer breach earlier that year produced four months of downtime and wiped out the retailer’s annual profit. The cost of misalignment is no longer abstract.
Companies Overestimate Their Own Resilience
Ninety-six percent of respondents say their organizations have quantified their cyber risk. Fifty-four percent rate their companies as moderately or highly resilient. Ninety-one percent believe their teams can respond to a serious incident within 24 hours. The CrowdStrike 2026 Global Threat Report puts the average e-crime breakout time at 29 minutes, a 65% increase over 2024. The fastest recorded breakout time is 27 seconds. Only 19% of respondents believe their teams can respond within minutes. The gap between belief and capability is wide and dangerous.
Kroll’s NIST maturity assessments consistently show that organizations fall short of their defined security standards. Self-assessment is a poor proxy for demonstrated resilience. For underwriters, this overconfidence pattern is a material risk factor. Policyholders who believe they are prepared tend to underinvest in the controls that would actually reduce loss frequency and severity.
Rising Budgets, Misaligned Spending
Eighty percent of respondents increased their cybersecurity budgets for 2026. The mean budget increase is 18%. The money, however, is flowing in the wrong directions. The top spending category is cloud and third-party security, cited by 59% of respondents. Yet the most experienced attacks are phishing, cited by 39% of respondents, followed by cloud exploits at 31% and business email compromise at 28%. Sixty-seven percent of all cyberattacks are identity-centric. The spending pattern does not match the threat pattern.
The cuts are equally telling. Twenty-five percent of organizations are reducing headcount in 2026. Twenty-four percent are cutting red and purple team capabilities. Twenty-three percent are trimming identity and access management investment. These are foundational controls, and they are being deprioritized at the same moment AI is expanding the attack surface. For brokers reviewing accounts, budget allocation is now as important a signal as budget size.
Cyber insurance itself ranks midfield in the spending data. Fifty-one percent of respondents increased cyber insurance spend. Twenty-nine percent name it a top investment priority for the next 12 to 24 months. That places it fifth on the priority list, behind AI security and governance, threat detection, cloud security, and security awareness training. The data on identity controls being relaxed for AI deployment speed mirrors what Delinea found earlier this year — budget pressure and AI urgency are pulling organizations away from the fundamentals that make them insurable.
Cyber Maturity Is The AI Incident Variable
The AI findings are the most direct underwriting data in the report. Seventy-six percent of respondents experienced a security incident involving AI applications or models in the past two years. Twenty-seven percent report costs exceeding $1 million from a single AI-related incident. Forty-eight percent have little or no organizational governance on AI tool and service adoption. Organizations spend an average of just 13% of their AI initiative budget on testing security controls or the models themselves.
The maturity correlation is the number that matters most. Among organizations with very low cyber maturity, 89% experienced an AI-related security incident. Among those with very high cyber maturity, that figure falls to 54%. Forty-six percent of very high maturity organizations reported zero AI incidents in the past two years. Very high maturity companies are six times more likely to spend more than 20% of their AI budget on security testing. Only 10% of all surveyed organizations reach that very high maturity threshold.
Dave Burg, Global Group Head of Cyber and Data Resilience at Kroll, put the core problem directly. Burg said: “Businesses enthusiastically integrate AI without getting the fundamentals right first.”
Quiessence Phillips, Head of Security Architecture and Engineering at Kroll, stated: “Adoption without concurrent investment in security foundations is not bold, it’s reckless.”
This data directly supports the case for affirmative AI coverage as an underwriting variable tied to maturity scoring — a point we examined in depth when Cowbell launched Prime One this week. The Kroll maturity gradient gives that product category an empirical foundation. Carriers pricing AI risk without a maturity assessment are working with incomplete information.
The LLM agent research from MIT and Carnegie Mellon published earlier this year showed exactly the kind of incidents Kroll is now quantifying at scale — unauthorized access, data exposure through normal system features, and failures that occur outside traditional attack vectors. Low-maturity organizations are most likely to encounter those scenarios and least likely to contain them.
Incident Response Plans Are A Box-Ticking Exercise
Ninety-nine percent of respondents say their organization has an incident response plan. Most insurers require one before issuing a policy. The quality of those plans is a separate question entirely. Only 3% of organizations update their incident response plan after an actual cyber incident — the moment when real lessons are available. Eighty-three percent update monthly or quarterly on a calendar schedule, independent of events.
The insurance link here is direct. Forty-four percent of respondents say their businesses lack clarity on their cyber insurance coverage and requirements. Organizations with advanced cyber maturity account for the 67% who do understand their coverage clearly. Maturity and insurance literacy move together. Low maturity organizations are both more likely to suffer an incident and less likely to understand whether their policy responds to it.
That clarity gap is a claims problem waiting to surface. Brokers placing accounts in the mid-market should treat the 44% figure as a benchmark. If nearly half of all organizations cannot explain what their policy covers, renewal conversations need to include a coverage walkthrough — not just a premium discussion. Erin Kenneally’s warning in an earlier Cyber Insurance News podcast that AI risk could replay the ransomware market’s mistakes applies directly here. The ransomware crisis was partly a clarity crisis. Policyholders discovered their coverage only at claims time. The Kroll data suggests AI incidents are heading toward the same collision.
Get The Cyber Insurance Upload Delivered
Subscribe to our newsletter!
What The Report Means For Underwriters And Brokers
The Kroll report gives the cyber insurance market what it has lacked for AI risk: a measurable maturity gradient with incident-frequency data attached. The gap between 89% and 54% is not a soft finding. It is a pricing variable. Organizations at the low end of the maturity spectrum are not just more likely to have an incident. They are more likely to have one that costs over $1 million, less likely to respond in time to limit damage, and less likely to understand whether their policy covers what happened.
For underwriters building AI risk frameworks, the report’s five-level maturity model maps cleanly onto the kind of risk stratification that made ransomware coverage more precise after 2020. The parallel is exact. The question is whether the market moves proactively or waits for loss data to accumulate.
FAQ: Kroll Cyber Resiliency Report And Cyber Maturity
What does the Kroll report say about cyber maturity and AI incidents?
Organizations with very low cyber maturity experience AI-related security incidents at a rate of 89%. Those with very high cyber maturity experience them at 54%. Forty-six percent of very high maturity organizations reported zero AI incidents in the past two years. Only 10% of all surveyed organizations reach very high maturity.
What is the average financial impact of a cyber incident according to Kroll?
The average financial impact across surveyed organizations exceeds $20.9 million. Yearly recovery costs and downtime alone average $2.2 million. Twenty-seven percent of organizations report AI-related incident costs exceeding $1 million.
Why does the cyber insurance coverage gap matter for policyholders?
Kroll found that 44% of organizations lack clarity on their cyber insurance coverage and requirements. Organizations with higher cyber maturity are significantly more likely to understand their coverage. This gap means many policyholders discover policy limitations at claims time rather than at renewal.
What is the problem with incident response plans?
Ninety-nine percent of surveyed organizations have an incident response plan. Only 3% update it after an actual cyber incident. Most update on a calendar schedule regardless of events. Kroll identifies this as a critical gap, because real incident data is the most valuable input for improving response capability.
How does AI governance relate to cyber maturity?
Forty-eight percent of organizations have little or no governance on AI tool adoption. Very high maturity organizations are six times more likely to spend over 20% of their AI budget on security testing. Without governance and foundational controls, AI adoption expands the attack surface faster than organizations can manage it.
Related Cyber Insurance Posts
- Cowbell Launches Prime One With Affirmative AI Coverage And Quantum Risk Protection
- What Your Cyber Insurance Policy Misses – And What Attackers Find First – NEW PODCAST
- Top Strategies for Identity Verification in the Age of Deepfakes, Remote Work, and AI Threats
- The Uncomfortable Truth About Cybersecurity: Why Awareness Month Is Not Enough
- The Remote-Work Vendor Model Creating A Data-Leak Blind Spot: A Conversation With Norm Hudson
